Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121128
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32394 invoked from network); 22 Sep 2023 07:25:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Sep 2023 07:25:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3694018004A
	for <internals@lists.php.net>; Fri, 22 Sep 2023 00:25:16 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 22 Sep 2023 00:25:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1695367513;
	bh=qJwopzHwaA/s4aGLQ8xpkPl+lreTUM0VdP31uuRa1zU=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=QUDUgxU1T+7WtTe2SO/bwJC+3UbSwmlk0YXGfRqK6mOBQd4KlH+4/eKk2SBBkN6vo
	 hVXGtAe1LC10S8t2aGPYWHEzfQ1icHeAsM84u1Y5F5vt09LTfQiGqVzYADdUWX8LCP
	 YAEMVnx0efKmQGdRCQ0u8orweH+Sasy9agut5ukbS3Uto+wN/xqMdANaZNJuUQSM0J
	 dHQNw25QSHmrHN1iCotQWj/k5/sL1a8IS7RnbP6TviUm9wTvcGUQU4t9S2puuoFeNG
	 fUu9c89gLvEYGoDoE3XCeImbrOOxfEbaQx3EHCmLIvqKaI7rruoAUHE9/Oe6PVZSC4
	 86kDc4H+U6Ydw==
Message-ID: <6529a816-e229-cfbb-26e4-1cc835279fd9@bastelstu.be>
Date: Fri, 22 Sep 2023 09:25:10 +0200
MIME-Version: 1.0
To: Nicolas Grekas <nicolas.grekas+php@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <a9b0d24f-fe59-75af-4b1e-dcd8067482b0@bastelstu.be>
 <CAOWwgp=cJWtF8GS6h9Aq42bwJXTwbkG1L1LpcS7HLqK0hrj5rQ@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CAOWwgp=cJWtF8GS6h9Aq42bwJXTwbkG1L1LpcS7HLqK0hrj5rQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/22/23 09:04, Nicolas Grekas wrote:
> For the record, I voted for 11 because I think it's nicer to end users (I
> guess many don't know they could have a potential DoS vector via password
> submissions), and also because it's going to be easy to raise again in
> 8.5/9.0.
> 
> I was wondering if you considered also raising the Argon2 default cost? Has
> this been discussed?

I did not consider this, because I don't have sufficient knowledge about 
Argon2's behavior to write up a proper RFC for that without spreading 
misinformation. For the reasons mentioned in 
https://news-web.php.net/php.internals/120996, I do not use Argon2 myself.

See also this comment for further information: 
https://github.com/laravel/laravel/pull/6245#issuecomment-1730504804 and 
the Fediverse thread I linked in the initial email opening the vote.

Best regards
Tim Düsterhus